A little warning from the British and American governments today: Kremlin-funded spies might have found a way into your home office.

The U.K. and U.S. blamed Russian hackers for a campaign aimed at taking control of routers inside government, critical infrastructure and internet service providers, but also within small and home offices. The warning came in a joint announcement from British intelligence, the National Security Council (NSC), the DHS and the FBI on Monday. In a media briefing ahead of the announcement, Rob Joyce, special assistant to the president and cybersecurity coordinator at the National Security Council, said there was "high confidence" Russia was behind the attacks. The hacks were being tracked by British intelligence from a year ago, said Ciaran Martin, director of U.K.'s National Cyber Security Centre, run out of intelligence agency GCHQ, whilst the U.S. noted the attacks started back in 2015.

The joint technical alert said Russian state-sponsored hackers had attempted to breach network routers, switches, firewalls and network intrusion detection systems across the world. Those routers were compromised to carry out so-called "man-in-the-middle" attacks where data going between computers and internet servers is intercepted, the NCSC said. That was being done "to support espionage, extract intellectual property, maintain persistent access to victim networks and potentially lay a foundation for future offensive operations," according to a statement from the NCSC.

Martin said the sustained targeting had continued for months and could have been used for espionage, the theft of intellectual property, or for "use in times of tension." He said millions of machines were being targeted and many had been seized by hackers to get access to ISP customers, to spy on organizations and their connections. That included the U.K. government, he added.

Joyce said "we can't rule out Russia may attempt to use this [hacked] infrastructure for further attacks." Advice will be handed out to potentially affected entities today, marking the first time the U.K. and the U.S. have pushed out such recommendations together. "The actions you're seeing today is one in a series of steps against this unacceptable activity," Joyce added.

Jeanette Manfra, chief cybersecurity official for the DHS, said that amongst its techniques, the Russians had scanned for devices running vulnerable Cisco Smart Install software designed to make it easy to set up network equipment from the massive networking manufacturer. Cisco itself recently warned about attacks aimed at the product, warning they could put critical infrastructure at risk.

Whilst the agencies weren't forthcoming with names of victims, they were open in pointing fingers at the Kremlin. Both the U.K. and U.S. governments have blamed Russia for other recent cyberattacks, including the NotPetya ransomware, which first spread in Ukraine before taking down global businesses, including shipping giants Maersk and FedEx. Just last week, in his first public speech as GCHQ director, Jeremy Fleming warned of "reckless" Russian activities in the real world after the poisoning of a former spy living in the U.K. and the nation's "unacceptable" online behavior.

The U.S. had previously claimed Russia was responsible for the cyberattack on the Democratic National Committee (DNC) and for attempting to influence the 2016 election via digital means. The Kremlin has denied all the above allegations levelled at its government.

Increasing cyber tensions

As for what Russia could do with all those hacked routers, Professor Alan Woodward, a cybersecurity expert from the University of Surrey, raised concerns about the potential for "a significant attack infrastructure from which onward attacks could be mounted."

"Imagine, for example, a massive distributed denial of service (DDoS) attack where the source of the attack was home routers - who would you blame? Now imagine a situation where you have already said we know certain routers have been compromised and could be at the behest of the Russians and then there was such an attack... plausible deniability become less plausible," Woodward said.

Joyce said he hoped the efforts of all the governments involved in today's announcement would be able to prevent such a future attack happening. In response to a question from Forbes, Joyce said that when a hacker controls a router and has access to parts of the internet backbone, "we worry about what they can be used for," whether that's a DDoS or other offensive cyberattacks.

Peter Singer, strategist and senior fellow at New America, had something of a warning for Joyce and his colleagues: "It points to the scale problem that comes out of staying quiet for so long. Once they called out one attack, it raised the problem of failing to do so about all the others."

Russia responds

In response to today's allegations, in an emailed comment from the Russian Embassy in London, a spokesperson said: "We consider these accusations and speculations as striking examples of a reckless, provocative and unfounded policy against Russia. We are disappointed by the fact that such serious claims have been made publicly, without any proof being presented and without any attempt by the United Kingdom to clarify the situation with the Russian side in the first place.

"Given that in recent days the British media, instigated by official statements, has again started to exploit the issue of 'cyberthreats from Russia,' impression grows that the British public is being prepared for a massive cyber attack by the UK against Russia, that will purport to be of a retaliatory nature, but would in fact constitute unprovoked use of force.

"Russia is not planning to conduct any cyber attacks against the United Kingdom. We expect the British government to declare the same."

I cover security and privacy for Forbes. I’ve been breaking news and writing features on these topics for major publications since 2010. As a freelancer, I worked for The Guardian, Vice Motherboard, Wired and BBC.com, amongst many others. I was named BT Security Journalist ...